Well, years have literally come and gone since covered entities first scrambled to comply with HIPAA’s Privacy Rule and Security Rule requirements, yet there continued to be no formal penalties assessed by the government for HIPAA violations.  Many believed that such a day would never come . . . but, they were wrong.

In its July 17, 2008 e-mail Press Release, the U.S. Department of Health & Human Services (HHS) announced that it has entered into a Resolution Agreement with Seattle-based Providence Health & Services (Providence) to settle potential privacy and security violations of HIPAA. 

In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable e-PHI against theft or loss.  The Resolution Agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.

Winston Wilkinson, the director of the OCR, stated in the Press Release that “We are committed to effective enforcement of health information privacy and security protections for consumers. Other covered entities that are not in compliance with the Privacy and Security Rules may face similar action.”  

The Press Release confirms that this is the first time HHS has required a Resolution Agreement from a covered entity.  Providence’s cooperation with OCR and CMS allowed HHS to resolve this case without the need to impose a civil money penalty.

Once the e-mail Press Release is formally posted on the government’s website, I will link it here.  Otherwise, you can also keep checking http://www.hhs.gov/ocr/privacy/enforcement/.

To read more about the facts in this case, read on . . . .

On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients.

HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, informed patients of the theft.  Providence also reported the stolen media to HHS.  OCR and CMS together focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.

Under the Resolution Agreement, Providence agrees to pay a $100,000 resolution amount to HHS and implement a robust Corrective Action Plan that requires: revising its policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; training workforce members on the safeguards; conducting audits and site visits of facilities; and submitting compliance reports to HHS for a period of three years.

Kerry Weems, the acting administrator of CMS, commented, “This resolution confirms that effective compliance means more than just having written policies and procedures.  To protect the privacy and security of patient information, covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features.”